search

otros-systems / otroslogviewer

Log viewer focused on developers work
Apache License 2.0
422 stars 87 forks source link

Clear text password logged after successful connection to SFTP server #610

Closed benlazaro closed 2 years ago

benlazaro commented 2 years ago

I was testing connectivity with a public SFTP server when I noticed in the olv.log file that there is a log statement that is not masking the password when logging file that is being loaded by OLV. Below it's a snippet of the logs, including the clear text password since it is from a publicly available SFTP test server.

INFO  19 Apr 2022;20:07:07.283 [AWT-EventQueue-0] pl.otros.logview.api.gui.LogViewPanelWrapper Log view panel is removed from view. Clearing data table for GC and running onCloseAction action
INFO  19 Apr 2022;20:07:07.287 [AWT-EventQueue-0] pl.otros.logview.logloader.basic.BasicLogLoader Closing LogLoadingSession{id='f238f285-9127-43b5-a7d1-a336acf76740', source=VfsSource{fileObject=sftp://demo:password@test.rebex.net/readme.txt, openMode=From start}} 
DEBUG 19 Apr 2022;20:07:08.130 [Thread-10] pl.otros.logview.logloader.basic.LoadingRunnable Log import stopped
INFO  19 Apr 2022;20:07:08.130 [Thread-10] pl.otros.logview.logloader.basic.LoadingRunnable Loading of files sftp://demo:***@test.rebex.net/readme.txt is finished
INFO  19 Apr 2022;20:07:08.130 [Thread-10] pl.otros.logview.logloader.basic.LoadingRunnable File sftp://demo:***@test.rebex.net/readme.txt loaded
INFO  19 Apr 2022;20:07:08.130 [Thread-10] pl.otros.logview.api.io.Utils Closing file sftp://demo:***@test.rebex.net/readme.txt
INFO  19 Apr 2022;20:07:08.326 [Thread-10] pl.otros.logview.api.io.Utils File sftp://demo:***@test.rebex.net/readme.txt closed
INFO  19 Apr 2022;20:07:08.326 [Thread-10] pl.otros.logview.api.io.Utils Closing file sftp://demo:***@test.rebex.net/readme.txt
INFO  19 Apr 2022;20:07:08.330 [Thread-10] pl.otros.logview.api.io.Utils File sftp://demo:***@test.rebex.net/readme.txt closed
DEBUG 19 Apr 2022;20:07:09.032 [AWT-EventQueue-0] pl.otros.vfs.browser.VfsBrowser Updating selection
DEBUG 19 Apr 2022;20:07:13.455 [AWT-EventQueue-0] pl.otros.vfs.browser.actions.BaseNavigateAction Executing

The second line in the snippet displays the password in clear text, but the subsequent lines mask the password with asterisks. This should be easily reproducible by loading a log file (or any text file for that matter) via the SFTP:// command in the log viewer. I'm using OLV 1.4.16

benlazaro commented 2 years ago

I checked the code and there are quite a few other places where the password is being logged in clear text. This happens when logging the contents of the text field in the GUI. The logs statements that show the password with asterisks is because the url was already processes by the Apache VFS library and the getFirendlyName() method is invoked. I will submit a pull request for fixing this issue shortly.

svennissel commented 2 years ago

Thank you @benlazaro. I merged it to master. I seems to be we have enough for a new release.